Security researchers have unveiled a significant breakthrough in combating Distributed Denial of Service (DDoS) attacks that exploit vulnerable Memcached servers. Dubbed a “kill switch,” this mechanism could offer protection for businesses facing overwhelming cyber assaults.

Memcached reflection DDoS attacks have surged recently, characterized by a staggering amplification factor that can reach as high as 50,000. These attacks are among the most formidable in the history of cybersecurity, taking down major services and causing widespread disruption. The situation took a turn for the worse when proof-of-concept exploit code was made public, enabling even novice attackers to launch substantial cyber offensives with relative ease.

Despite widespread alerts, over 12,000 Memcached servers that support UDP remain exposed on the internet, raising the specter of impending attacks. Corero Network Security has discovered that DDoS victims can employ a simple command, either “shutdown\r\n” or “flush_all\r\n,” to disrupt the attacker’s attempts at amplification. The “flush_all” command clears all cached data without restarting the server, thereby mitigating the attack’s impact.

Corero’s kill switch has been rigorously tested on live Memcached servers under attack and has shown a 100% success rate. This solution has already been shared with national security agencies. In light of these findings, security researcher Amir Khashayar Mohammadi released a DDoS mitigation tool, Memfixed, designed to automate the process of sending shutdown or flush commands to vulnerable servers. Built in Python, Memfixed leverages the Shodan API to identify susceptible Memcached instances.

Moreover, researchers highlighted that the existing Memcached vulnerability, identified as CVE-2018-1000115, poses risks beyond facilitating DDoS attacks. Attackers can exploit this flaw to steal or manipulate sensitive data stored in these servers. Memcached is often utilized in dynamic, database-driven websites to enhance performance by caching data in RAM. Unfortunately, because Memcached does not require authentication, attackers can extract confidential information without facing barriers.

The implications are severe; attackers can access sensitive customer data, emails, and more through a simple debug command capable of revealing the “keys” to the cached information. This vulnerability grants them the means not only to retrieve data but also to modify and reinsert it into the cache surreptitiously, thereby endangering data integrity.

In light of these risks, it is highly recommended that server administrators update to the latest version of Memcached (1.5.6) which disables UDP by default, significantly reducing the likelihood of amplification and reflection attacks.

As businesses increasingly depend on cloud services and networked applications for their operations, understanding and protecting against these vulnerabilities becomes imperative. Employing robust security measures and staying informed about potential risks will be crucial in navigating the cybersecurity landscape.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.